Yes, they can. A flaw discovered by cyber researchers last year allowed hackers to eavesdrop. And it also allowed them to track people using regular Bluetooth audio devices. The flaw known as WhisperPair affected hundreds of millions of Bluetooth devices from various manufacturers. These devices support Google’s Fast Pair feature.
The bug has allowed bad actors to attack any users with Bluetooth devices within 50 feet of them. This includes both iPhone and Android devices, as hackers can pair to a user’s audio devices without permission. The hackers would then have complete control over the devices. And decide whether to track, eavesdrop, or annoy the target by adjusting the volume of the audio products while in use.
Key takeaways
- Hackers can silently hijack Bluetooth audio devices for eavesdropping, tracking, and disruption.
- The flaw stems from poor implementation of Google’s Fast Pair in many popular devices.
- WhisperPair impacts hundreds of millions of devices from major brands.
- Many devices remain at risk. Users are advised to update firmware immediately.
How was the bug discovered, and are users still at risk?
A Belgium-based cybersecurity research group called COSIC at KU Leuven discovered the flaw and reported it to Google in August 2025.
The cyber researchers were awarded $15,000 from Google’s bug bounty program and were asked not to publicize the security issue for 150 days while Google and manufacturers issue a patch.
Researchers pointed out that improper implementation caused the bug. They also advised manufacturers to fix it.
However, many experts believe that many Bluetooth devices remain at risk.
How does the WhisperPair flaw work?
Google designed the Fast Pair feature to ignore pairing requests when a Bluetooth device is not in pairing mode.
However, the WhisperPair flaw allowed anyone to initiate pairing without the user’s permission and essentially establish a regular Bluetooth pairing.
Once users paired their devices, bad actors could gain complete control and eavesdrop on them. And even track their targets via Bluetooth. The research group that discovered the flaw explains it clearly in a YouTube video:
Which brands use Google’s Fast Pair feature?
The flaw affected hundreds of millions of devices. The list of brands is fairly long. Users can see if their devices use the feature by looking into the specification of the product. And are advised to perform an update immediately if their devices have a “Google Fast Pair” or a “Fast Pair enabled by Google” mention in the product’s spec sheet.
Many brands, including Creative Labs, Sony, Marshall, Jabra, JBL, Xiaomi, Soundcore, OnePlus, Audio-Technica, Beats, JLab, and Bose, widely deploy the Fast Pair feature on their newer Bluetooth audio devices. However, it is essential to note that not all Fast Pair devices were vulnerable.Â
The WhisperPair security flaw is yet another reason to highlight the importance of running products with the latest software and firmware updates. It also emphasizes that not all companies have the capabilities or desire to secure their products appropriately.
Even though researchers discovered the bug more than five months ago, they confirmed that nearby hackers could compromise the Bluetooth devices of users who haven’t updated them. The vulnerability would still be present if a user refused to update the firmware or if the manufacturer never issued a patch in the first place. You should install high-end cybersecurity protection software on all your devices, as it is essential. Antivirus software solutions not only protect users from malicious attacks while browsing, but also remind them to update all their connected devices.